Differences between IN and out in Cisco ACL Configuration many people are confused about the differences between IN and OUT When configuring ACL. After reading this article, you will find that IN and OUT are actually the same, but you only need to be flexible.
In and out are relative, for example: A (s0) ----- (s0) B (s1) -------- (s1) C suppose you want to deny A access to C, and assume that you are required to do the ACL on B (of course C can also), we will replace this topology with an example: the s0 port of B is the front door, and the s1 port is the back door, B is your living room, the front door is connected to A, the living room backdoor is connected to your vault (C) www.2cto.com in and out is relative, for example: A (s0) ----- (s0) B (s1) -------- (s 1) C
Assume that you want to deny access to C by A, and assume that you want to perform an ACL on B (of course, C can also), we will replace this topology with an example: b's s0 port is the front door, s1 port is the back door, B is your living room, the front door is connected to A, the living room backdoor is connected to your vault (C) if you want to reject thieves from A, there are two ways for you to set up in your living room: 1. in your living room (B) the front door (B's s0) is equipped with an iron door (ACL), so that thieves are not allowed to come in (in. installing an iron door (s1 of B) in the backdoors of your living room, although thieves enter your living room, they still cannot go out (out) to your vault (C) www.2cto.com although these two methods (in/out) can achieve the effect, but from the performance perspective there is still a difference, in fact, the best way is to choose method 1, just like although thieves didn't enter the vault, they should at least enter your living room (B) and dirty the carpet in your living room (B needs to consume additional unnecessary processing) suppose you want to put the iron gate (ACL) in C, should you use in or out at that time? This question is left for you to answer by yourself. in contrast to the router, what goes through the router is the incoming in extended acl, which is closer to the source, the application of standard acl close to the target address is actually in and out, which is very flexible.